Commentary: Hype is the real issue

When it comes to information security, "information anarchy" isn't the problem--instead, the focus should be on reducing company hype.

January 16, 20023:15 PM PST

By Richard Stiennon, Gartner Analyst

When it comes to information security, "information anarchy" isn't the problem--instead, the focus should be on reducing company hype.

The comments of Microsoft's Scott Culp, manager of the company's security response center, echo a common refrain in a long, ongoing battle over information. Discussions of morality regarding the distribution of information go way back and are very familiar. Several centuries ago, for example, the church tried to squelch Copernicus' and Galileo's theory of the sun being at the center of the solar system, and in the 20th century Darwin's writings about the theory of evolution were banned in a number of states in the United States.

Culp's attempt to blame "information security professionals" for the recent spate of vulnerabilities in Microsoft products is at best disingenuous. Perhaps, it also represents an attempt to deflect criticism from the company that built those products.

Culp has also manufactured some new numbers related to the losses suffered by companies because of the vulnerabilities in Microsoft's Internet Information Server (IIS). Culp says the losses amount to billions of dollars. Gartner believes that hype associated with security risks is the real problem, and that companies engaging in hype are culpable.

Security firms and professionals have already begun to cut back on self-serving press releases and hyperbole while they also research and discover new vulnerabilities and responsibly disseminate new information. Thus, to criticize those contributions to awareness and early warning while using unfounded numbers to make a point is a shot gone astray in the ongoing battle between information freedom and control.

In truth, the responsibility for information security falls to the entire IT community--software companies, security firms, businesses and individuals. None should shoulder the whole blame for security lapses. Rather, the efforts of all parties contribute to a continuous process of improvement. The more widely vulnerabilities become known, the more quickly they get fixed.